Endpoint Security: Could CMSs Pose Problems?
… take over the entire WCMS account with just a list of compromised credentials. Hackers use this type of credential stuffing attack to guess the admin account password. They can then use the site as part of malware distribution campaigns.”
To defend against credential stuffing attacks, Wilson recommends deploying two-factor authentication and checking password strength as passwords are being created. Other security measures can also help protect endpoint security, but they can entail asking hard questions of CMS vendors, design agencies, hosting companies and MSSPs themselves.
Hosted CMS Applications and Endpoint Security
And when companies use outside providers like design agencies, hosting companies or MSSPs to host their CMS-powered websites, the CMS could pose endpoint security problems for their end-user customers if not properly protected against adware, say digital marketing experts.
“Common belief says that a CMS can actually protect a site from adware,” said Vanhishikha Bhargava, head of marketing at BrandLock, a provider of conversion optimization suites. “But the truth is that it only protects the site from hacks. So while the CMS will keep a retail site’s customer data safe, adware injected by browser extensions and web apps almost appear similar to an overlay.”
Even worse, the CMS has absolutely no way of identifying what kind of ad an adware strain will inject into the consumer’s browser while on the site. Bhargava says her company has identified that brands like Cartier, Jabra, and Puma have been threatened by adware on the consumer endpoint but that its machine learning-powered solution strengthens CMSs and keeps adware at bay.
Browser Security and Endpoint Security
When it comes to browser security, it should be strict by default — locked down to prevent unannounced automatic installation of hidden plug-ins and block unsigned and untrusted content.
“Browser security should include testing and validation with warnings if untrusted code, content or communications are initiated,” said Scott Mongeau, principal cybersecurity solutions manager at SAS. “A protocol should be in place to alert security stewards when suspicious content shows up in the supply chain. There should be a clear disaster recovery plan concerning how to quickly remediate an incident.”
The Large Attack Surface of CMSs
With at least half of websites built with a CMS, statistics show that the number of installations of some publicly available and vulnerable CMSs is making things worse, due to the large surface of potential attacks, according to security researchers.
“Often, enterprises have decent systems with a good amount of protection mechanisms in place, but they can still be compromised,” said Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, a security specialist. “It’s inevitable because of the low level of security awareness for the majority of companies in the retail industry. Vulnerabilities such as default credentials, database abuse, publicly available backups and configuration files, and using outdated versions of software were all used in successful intrusion scenarios.”
Then if a CMS is combined with e-commerce features, not only is your business infrastructure vulnerable to attack, but your customers’ financial information also is vulnerable to theft, such as in recent attacks on British Airways and Magento, Galloway says.
- Page 1
- Page 2
Dave at Forever Group here. I found this article very interesting. Of course, locally served or sideloaded content is not going to traverse traditional web gateway or security technologies such as Cisco Umbrella.
For me, this really cements the importance of peripheral cyber security strategies such as patch management to ensure that known browser vulnerabilities are closed down ASAP. Likewise, endpoints should really have zero-day-capable security solutions in place – and ideally intrusion prevention and web security to thwart the inevitable ‘dial-home’ if a foothold is gained.
Thank you for highlighting a non-obvious avenue where website-based threats could circumvent perimeter defences.